Several high profile blogs got their WordPress install “hacked”. Over an unknown period of time, someone added links to the site SEONIX on The Next Web, VentureBeat, W3-Edge, ShoeMoney, and CrunchBase. As of this writing, VentureBeat still has links on some pages. SEOMoz tool Open Site Explorer shows a list of compromised pages, though many of those are now fixed.
CrunchBase is essentially a wiki, so anyone can add links to it – no surprise there. But the blogs all use WordPress for content management and should have security in place to defend against arbitrary link insertion.
According to Jorg of TNW, “This person managed to get in via one of our editors’ logins and put links to his own site in 124 posts.” That sounds like being a victim of poor user account management, rather than any software insecurity in WordPress. Jeremy Schoemaker (aka ShoeMoney) also said, “It was easy to pinpoint what administrative users account had been comprimised. It was a former employee who had not been on our staff for 2 years.”
None of the other sites made a public statement about what happened or how it was resolved. I put hacked in quotes at the beginning of the article, because whoever made the posts didn’t brute force their way into any of the blogs. A legitimate user account was used in the two documented instances, so my guess is all the blogs were victims of poor password management.
WordPress User Policies Are Flawed
Seeing several widely read blogs get vandalized by way of valid user accounts exposes a key flaw in WordPress user management. There’s no password timeout feature. An account can be inactive for years and the same credentials will work if the account is still active.
WordPress isn’t the only software solution guilty of this shortcoming, but it’s by far the most popular. Forum software developers addressed this same issue in a more traditional way. For example, VBulletin sets an expiration on user account passwords, forcing users to change passwords after a fixed number of days.
While forcing users to change their password is no guarantee that a password won’t get leaked, it’s an important step in managing user accounts. Network administrators have enforced this type of policy for all of the 20+ years I’ve accessed corporate networks.
Prevent This From Happening to Your Blog
How do you make sure your own blog doesn’t become a victim of a link vandal? Eliminate or downgrade inactive user accounts.
The best way to prevent someone making sweeping changes to your blog with an exposed account is to remove unused accounts. For blogs that have contributors come and go, I understand the necessity of maintaining a byline for those authors. You can downgrade inactive accounts to Subscriber to limit their access.
Changing the account password is another important step. For additional security, you may want to change the email address of inactive accounts, so the password cannot be recovered.
Additional Security Measures
There are many additional steps you can take to protect your WordPress install, but here are a few that will help you sleep easier:
Stop using “admin” as a user account. Every WordPress install on the planet defaults to having a user named admin. Create a new administrator with a unique name and delete “admin”. You can associate any posts from the old admin account with another user.
Require https for all logins. You may need to generate a self-signed certificate on your server for this to work, but it will make sure no one is sniffing your password when you blog at a coffee shop. You can make this security enhancement by adding the following line to wp-config.php
Put a server password on your wp-admin directory. HTTP Basic Authentication forces you to type a username and password before you can get to the WordPress login screen. Requiring a server password to access wp-admin can seem like a minor inconvenience when you blog, but it helps make sure only the right people are getting access. If you have a blogger quit, make sure you change this password. If your hosting company uses something like Plesk or CPanel, set this password there.
Create an Blogger Exit Checklist
When someone quits a company, typically there’s an exit procedure. Passwords are changed, building security codes are modified. Measures are put in place so the former employee no longer has access to company data. The same should also be true when someone quits your blog. Make a list of all the things you give people access to. When they leave, remove that access. This isn’t necessarily because you no longer trust them; it’s because you don’t know where any of that information might end up.
If You Do Get Vandalized
If someone does manage to access your blog and post links, Shoemoney offers some great tips on cleaning it up.
Note: For historic purposes, here’s a screenshot of pages with links to SEONIX (via Open Site Explorer) around the time of this writing.